URL: https://github.com/freeipa/freeipa/pull/4960
Author: flo-renaud
Title: #4960: [Backport][ipa-4-8] ipatests: Test IPACertNSSTrust check when
trust attributes is modified for specific cert
Action: opened
PR body:
"""
This PR was opened automatically because PR #4941 was pushed to master and
backport to ipa-4-8 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/4960/head:pr4960
git checkout pr4960
From a81bb95515530af0dabdb8c35672ac6b770fc384 Mon Sep 17 00:00:00 2001
From: sumenon <sume...@redhat.com>
Date: Fri, 24 Jul 2020 18:44:31 +0530
Subject: [PATCH] ipatests: Test IPACertNSSTrust check when trust attributes is
modified for specific cert
This test modifies the trust attribute of Server-Cert
and checks that healthcheck tool reports correct status
---
.../test_integration/test_ipahealthcheck.py | 51 ++++++++++++++++++-
1 file changed, 50 insertions(+), 1 deletion(-)
diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
index 729a685284..1e1e91aa11 100644
--- a/ipatests/test_integration/test_ipahealthcheck.py
+++ b/ipatests/test_integration/test_ipahealthcheck.py
@@ -723,7 +723,7 @@ def test_run_with_stopped_master(self, ipactl):
errors = re.findall("ERROR: .*: not running", output)
assert len(errors) == len(output.split('\n'))
- @pytest.fixture()
+ @pytest.fixture
def move_ipa_ca_crt(self):
"""
Fixture to move ipa_ca_crt and revert
@@ -760,6 +760,55 @@ def test_chainexpiration_check_without_cert(self, move_ipa_ca_crt):
assert check["kw"]["error"] == error_text
assert check["kw"]["msg"] == msg_text
+ @pytest.fixture
+ def modify_cert_trust_attr(self):
+ """
+ Fixture to modify trust attribute for Server-cert and
+ revert the change.
+ """
+ self.master.run_command(
+ [
+ "certutil",
+ "-M",
+ "-d", paths.PKI_TOMCAT_ALIAS_DIR,
+ "-n", "Server-Cert cert-pki-ca",
+ "-t", "CTu,u,u",
+ "-f", paths.PKI_TOMCAT_ALIAS_PWDFILE_TXT,
+ ]
+ )
+ yield
+ self.master.run_command(
+ [
+ "certutil",
+ "-M",
+ "-d", paths.PKI_TOMCAT_ALIAS_DIR,
+ "-n", "Server-Cert cert-pki-ca",
+ "-t", "u,u,u",
+ "-f", paths.PKI_TOMCAT_ALIAS_PWDFILE_TXT,
+ ]
+ )
+
+ def test_ipacertnsstrust_check(self, modify_cert_trust_attr):
+ """
+ Test for IPACertNSSTrust when trust attribute is modified
+ for Server-Cert
+ """
+ error_msg = (
+ "Incorrect NSS trust for {nickname} in {dbdir}. "
+ "Got {got} expected {expected}."
+ )
+ returncode, data = run_healthcheck(
+ self.master, "ipahealthcheck.ipa.certs", "IPACertNSSTrust",
+ )
+ assert returncode == 1
+ for check in data:
+ if check["kw"]["key"] == "Server-Cert cert-pki-ca":
+ assert check["result"] == "ERROR"
+ assert check["kw"]["expected"] == "u,u,u"
+ assert check["kw"]["got"] == "CTu,u,u"
+ assert check["kw"]["dbdir"] == paths.PKI_TOMCAT_ALIAS_DIR
+ assert check["kw"]["msg"] == error_msg
+
def test_ipa_healthcheck_remove(self):
"""
This testcase checks the removal of of healthcheck tool
_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
